For a small and simple IT fleet like I run, is the secure boot certificate expiry even a problem?
Posted by DeifniteProfessional@reddit | sysadmin | View on Reddit | 22 comments
I've seen two posts about this today, and it got me thinking, I've not been worrying about it. We have 3 Windows servers, and one doesn't even boot with UEFI (which I only found out today lol). All the rest of our devices are no older than about 6 years, and updates are managed and applied via our RMM - this includes firmware updates. Whilst we have a mix of Dell, Lenovo, and HP machines, all \~ 600 of them are still in support by the OEM and are up to date.
So to me, everything would just update as per the typical update schedule and that's the end of it. But I've seen a non trivial amount of people making various Intune policy changes, or even manually installing updates to ensure continued functionality. Am I missing something?
Oh and yes, I've been through about 12 posts on this sub regarding the certificate updates so far and I'm still none the wiser
Mindestiny@reddit
The updated certificates have been the default for a while now from modern manufacturer bioses.
Six year old devices might be pushing it. There's some detection scripts kicking around you can run against your fleet to see if they have the updated cert already or not, but on a more recently purchased device that's regularly updated, it shouldn't be an issue.
Fallingdamage@reddit
We have 3 1/2 year old HP's that shipped with only the 2011 certs. And HP still hasnt released a firmware update to address it..
frac6969@reddit
Our older Lenovo computers that don’t even support Windows 11 just got BIOS updates for the new certs.
Fallingdamage@reddit
Lenovo is on their game.
pdp10@reddit
From what I can tell, the relevant components don't come from the hardware vendor, so I don't know that any vendor firmware update would be required:
Do note that I'm looking at the Linux tooling, not any Microsoft tooling.
cookerz30@reddit
More reason to hate HP products.
DeifniteProfessional@reddit (OP)
My RMM has pushed out one of these scripts and currently it suggests the majority of devices are "fine" - I did check that before coming here, but you ever just doubt yourself? Imposter syndrome moment, really felt like I'd been missing out on a global event. Like falling asleep before Y2K then waking up to your entire org down and head scratching
Cheers!
Impossible_IT@reddit
Y2K brings back some memories for sure! I probably had about a year and a half IT experience then. Was tasked to make sure all the computers I supported were updated with the lasted BIOS via the sneakernet.
xendr0me@reddit
Dell just started pushing them out in their BIOS even on the most recent models in October 2025, so that's a pretty broad statement. Either way it should be checked on all devices.
pdp10@reddit
Is Secure Boot enabled in firmware? The non-UEFI server obviously isn't using Secure Boot.
syntaxerror53@reddit
And also ensure disk is GPT and not MBR or UEFI/Secure Boot won't turn on.
Professional-Heat690@reddit
install the April update, start up the security app and check under device security. it'll tell you locally on the server if it's updated to the new cert. (if it just says secure boot enabled you don't have the latest patch applied.
FranksHisName@reddit
Use the detection and remediation scripts from blog.mindcore.dk
My fleet of 3000 HP laptops needed the script. Only 1/3 had the new certs and was using them after a full year of Intune have the configuration set. Been brewing for 2 weeks and got it up to 50%
Fallingdamage@reddit
We have some 3 1/4 - 4 year old HP's that still dont have the new certs and will not accept them if I try to manually push them. HP still hasnt come out with a firmware fix for it. Do these scripts work for that?
Most of our fleet are even old lenovos and they took the manual/scripted cert updates no problem. The newer HP's have been a problem.
FranksHisName@reddit
Yes try it, only 3 bit locker triggers out of 3000
Nighteyesv@reddit
Assuming you have Intune, there’s a Secure Boot Status report in Intune to let you know how your environment is doing to see what machines need attention. Intune focuses on workstations so that doesn’t resolve questions about servers but better than nothing.
Hot_Direction7888@reddit
The real core question he’s asking
👉 “Can I trust my current update process, or do I need to manually intervene?”
⸻
🧾 Bottom line
aguynamedbrand@reddit
If you can’t respond without using AI don’t respond at all.
Hot_Direction7888@reddit
Oh you guys hate ai got it
gangaskan@reddit
No, we don't hate ai, you still need to learn and understand the sometimes udder bullshit it can spew out.
You're just copy pasta at that point.
DeifniteProfessional@reddit (OP)
Thanks... Gemini? Which model wrote this drivel?
Hobbit_Hardcase@reddit
It's a certificate that's embedded in the BIOS. Use the Intune config to turn on the Reg keys that allow the update, then make sure the BIOS is up to date, with whatever method works for you.